-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] infozip (SSA:2005-121-01)
New infozip (zip/unzip) packages are available for Slackware 8.1, 9.0,
9.1, 10.0, 10.1, and -current to fix security issues.
- From the www.info-zip.org site:
Zip 2.3 and (presumably) all previous versions have a buffer-
overrun vulnerability relating to deep directory paths that could
potentially lead to local privilege escalation (e.g., in the case of
automated, Zip-based backups). See the FAQ page for details.
All versions of UnZip through 5.50 have a number of directory-
traversal vulnerabilities, and version 5.50 also has a textmode data-
corruption bug that affects 16-bit ports such as MS-DOS. See the FAQ
page for details.
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/infozip-5.52-i486-1.tgz: Upgraded to unzip552.tar.gz and
zip231.tar.gz. These fix some buffer overruns if deep directory paths are
packed into a Zip archive which could be a security vulnerability (for
example, in a case of automated archiving or backups that use Zip). However,
it also appears that these now use certain assembly instructions that might
not be available on older CPUs, so if you have an older machine you may wish
to take this into account before deciding whether you should upgrade.
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/infozip-5.52-i486-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/infozip-5.52-i486-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/infozip-5.52-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/infozip-5.52-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/infozip-5.52-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/infozip-5.52-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
d3fd87796f1303bf17b94611b4827d60 infozip-5.52-i486-1.tgz
Slackware 9.0 package:
af5f763f9dadadd473032bdebd76f085 infozip-5.52-i486-1.tgz
Slackware 9.1 package:
8d8e78360cd13b2a0f7f0db9a538d031 infozip-5.52-i486-1.tgz
Slackware 10.0 package:
c8ab2971135894313f241a91f11ff02b infozip-5.52-i486-1.tgz
Slackware 10.1 package:
0a94f56bc134975d5fff2f259121b9ad infozip-5.52-i486-1.tgz
Slackware -current package:
e90e33f4fbd2c312faa556bea61e123e infozip-5.52-i486-1.tgz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg infozip-5.52-i486-1.tgz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFCddJvakRjwEAQIjMRApNVAKCBFfwk++a7jnBOyY6ujkpJ/3x1nwCgjFGI
nF5ZF5XOIeRNCC20DijzYc0=
=X5Uu
-----END PGP SIGNATURE-----

Slackware® is a registered trademark of Slackware Linux, Inc. All logos and graphics are copyrighted.